Advanced Threat Mitigations via SSL Intercept
Published Feb 23, 2016
Version 1.0Was this article helpful?
the mechanics are simple, insert/replace of each valid Public-Key-Pinning header is supposed to clear out the old entries and set it to the values in the latest response. See section 2.3.1 of the RFC.
that said, hpkp is complex and can brick a domain, so tread lightly and -report-only with much validation before pulling the trigger!